From 24def311c6168d0dfb7c5f0f183b72b709c49265 Mon Sep 17 00:00:00 2001
From: Jean Delvare <jdelvare@suse.de>
Date: Mon, 20 Feb 2023 14:53:21 +0100
Subject: [PATCH] dmidecode: Split table fetching from decoding

Clean up function dmi_table so that it does only one thing:
* dmi_table() is renamed to dmi_table_get(). It now retrieves the
  DMI table, but does not process it any longer.
* Decoding or dumping the table is now done in smbios3_decode(),
  smbios_decode() and legacy_decode().
No functional change.

A side effect of this change is that writing the header and body of
dump files is now done in a single location. This is required to
further consolidate the writing of dump files.

CVE-ID: CVE-2023-30630
Upstream-Status: Backport [https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=39b2dd7b6ab7]

Backport Changes:
- In the file dmidecode.c, the commit [dd593d2] in v3.3 introduces
  pr_info(). This is backported to printf() as per v3.2.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Reviewed-by: Jerry Hoemann <jerry.hoemann@hpe.com>
(cherry picked from commit 39b2dd7b6ab719b920e96ed832cfb4bdd664e808)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
---
 dmidecode.c | 86 ++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 62 insertions(+), 24 deletions(-)

diff --git a/dmidecode.c b/dmidecode.c
index a3e9d6c..d6eedd1 100644
--- a/dmidecode.c
+++ b/dmidecode.c
@@ -5211,8 +5211,9 @@ static void dmi_table_decode(u8 *buf, u32 len, u16 num, u16 ver, u32 flags)
 	}
 }
 
-static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
-		      u32 flags)
+/* Allocates a buffer for the table, must be freed by the caller */
+static u8 *dmi_table_get(off_t base, u32 *len, u16 num, u32 ver,
+			 const char *devmem, u32 flags)
 {
 	u8 *buf;
 
@@ -5231,7 +5232,7 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
 		{
 			if (num)
 				printf("%u structures occupying %u bytes.\n",
-				       num, len);
+				       num, *len);
 			if (!(opt.flags & FLAG_FROM_DUMP))
 				printf("Table at 0x%08llX.\n",
 				       (unsigned long long)base);
@@ -5249,19 +5250,19 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
 		 * would be the result of the kernel truncating the table on
 		 * parse error.
 		 */
-		size_t size = len;
+		size_t size = *len;
 		buf = read_file(flags & FLAG_NO_FILE_OFFSET ? 0 : base,
 			&size, devmem);
-		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)len)
+		if (!(opt.flags & FLAG_QUIET) && num && size != (size_t)*len)
 		{
 			fprintf(stderr, "Wrong DMI structures length: %u bytes "
 				"announced, only %lu bytes available.\n",
-				len, (unsigned long)size);
+				*len, (unsigned long)size);
 		}
-		len = size;
+		*len = size;
 	}
 	else
-		buf = mem_chunk(base, len, devmem);
+		buf = mem_chunk(base, *len, devmem);
 
 	if (buf == NULL)
 	{
@@ -5271,15 +5272,9 @@ static void dmi_table(off_t base, u32 len, u16 num, u32 ver, const char *devmem,
 			fprintf(stderr,
 				"Try compiling dmidecode with -DUSE_MMAP.\n");
 #endif
-		return;
 	}
 
-	if (opt.flags & FLAG_DUMP_BIN)
-		dmi_table_dump(buf, len);
-	else
-		dmi_table_decode(buf, len, num, ver >> 8, flags);
-
-	free(buf);
+	return buf;
 }
 
 
@@ -5314,8 +5309,9 @@ static void overwrite_smbios3_address(u8 *buf)
 
 static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 {
-	u32 ver;
+	u32 ver, len;
 	u64 offset;
+	u8 *table;
 
 	/* Don't let checksum run beyond the buffer */
 	if (buf[0x06] > 0x20)
@@ -5341,8 +5337,12 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 		return 0;
 	}
 
-	dmi_table(((off_t)offset.h << 32) | offset.l,
-		  DWORD(buf + 0x0C), 0, ver, devmem, flags | FLAG_STOP_AT_EOT);
+	/* Maximum length, may get trimmed */
+	len = DWORD(buf + 0x0C);
+	table = dmi_table_get(((off_t)offset.h << 32) | offset.l, &len, 0, ver,
+			      devmem, flags | FLAG_STOP_AT_EOT);
+	if (table == NULL)
+		return 1;
 
 	if (opt.flags & FLAG_DUMP_BIN)
 	{
@@ -5351,18 +5351,28 @@ static int smbios3_decode(u8 *buf, const char *devmem, u32 flags)
 		memcpy(crafted, buf, 32);
 		overwrite_smbios3_address(crafted);
 
+		dmi_table_dump(table, len);
 		if (!(opt.flags & FLAG_QUIET))
 			printf("# Writing %d bytes to %s.\n", crafted[0x06],
 			       opt.dumpfile);
 		write_dump(0, crafted[0x06], crafted, opt.dumpfile, 1);
 	}
+	else
+	{
+		dmi_table_decode(table, len, 0, ver >> 8,
+				 flags | FLAG_STOP_AT_EOT);
+	}
+
+	free(table);
 
 	return 1;
 }
 
 static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 {
-	u16 ver;
+	u16 ver, num;
+	u32 len;
+	u8 *table;
 
 	/* Don't let checksum run beyond the buffer */
 	if (buf[0x05] > 0x20)
@@ -5402,8 +5412,13 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 		printf("SMBIOS %u.%u present.\n",
 			ver >> 8, ver & 0xFF);
 
-	dmi_table(DWORD(buf + 0x18), WORD(buf + 0x16), WORD(buf + 0x1C),
-		ver << 8, devmem, flags);
+	/* Maximum length, may get trimmed */
+	len = WORD(buf + 0x16);
+	num = WORD(buf + 0x1C);
+	table = dmi_table_get(DWORD(buf + 0x18), &len, num, ver << 8,
+			      devmem, flags);
+	if (table == NULL)
+		return 1;
 
 	if (opt.flags & FLAG_DUMP_BIN)
 	{
@@ -5412,27 +5427,43 @@ static int smbios_decode(u8 *buf, const char *devmem, u32 flags)
 		memcpy(crafted, buf, 32);
 		overwrite_dmi_address(crafted + 0x10);
 
+		dmi_table_dump(table, len);
 		if (!(opt.flags & FLAG_QUIET))
 			printf("# Writing %d bytes to %s.\n", crafted[0x05],
 				opt.dumpfile);
 		write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
 	}
+	else
+	{
+		dmi_table_decode(table, len, num, ver, flags);
+	}
+
+	free(table);
 
 	return 1;
 }
 
 static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
 {
+	u16 ver, num;
+	u32 len;
+	u8 *table;
+
 	if (!checksum(buf, 0x0F))
 		return 0;
 
+	ver = ((buf[0x0E] & 0xF0) << 4) + (buf[0x0E] & 0x0F);
 	if (!(opt.flags & FLAG_QUIET))
 		printf("Legacy DMI %u.%u present.\n",
 			buf[0x0E] >> 4, buf[0x0E] & 0x0F);
 
-	dmi_table(DWORD(buf + 0x08), WORD(buf + 0x06), WORD(buf + 0x0C),
-		((buf[0x0E] & 0xF0) << 12) + ((buf[0x0E] & 0x0F) << 8),
-		devmem, flags);
+	/* Maximum length, may get trimmed */
+	len = WORD(buf + 0x06);
+	num = WORD(buf + 0x0C);
+	table = dmi_table_get(DWORD(buf + 0x08), &len, num, ver << 8,
+			      devmem, flags);
+	if (table == NULL)
+		return 1;
 
 	if (opt.flags & FLAG_DUMP_BIN)
 	{
@@ -5441,11 +5472,18 @@ static int legacy_decode(u8 *buf, const char *devmem, u32 flags)
 		memcpy(crafted, buf, 16);
 		overwrite_dmi_address(crafted);
 
+		dmi_table_dump(table, len);
 		if (!(opt.flags & FLAG_QUIET))
 			printf("# Writing %d bytes to %s.\n", 0x0F,
 				opt.dumpfile);
 		write_dump(0, 0x0F, crafted, opt.dumpfile, 1);
 	}
+	else
+	{
+		dmi_table_decode(table, len, num, ver, flags);
+	}
+
+	free(table);
 
 	return 1;
 }